Horde IMP IMP_MIME_Viewer_html Class XSS

medium Nessus Plugin ID 11815

Language:

Synopsis

The remote web server is affected by a cross-site scripting vulnerability.

Description

The remote server is running at least one instance of IMP whose version number is between 3.0 and 3.2.1 inclusive. Such versions are vulnerable to several cross-scripting attacks whereby an attacker can cause a victim to unknowingly run arbitrary JavaScript code simply by reading an HTML message from the attacker.

Note : Nessus has determined the vulnerability exists on the target simply by looking at the version number of IMP installed there. If the installation has already been patched, consider this a false positive.

Solution

Upgrade to IMP version 3.2.2 or later or apply patches found in the announcements to imp/lib/MIME/Viewer/html.php.

See Also

https://marc.info/?l=imp&m=105940167329471&w=2

http://marc.info/?l=imp&m=105981180431599&w=2

https://marc.info/?l=imp&m=105990362513789&w=2

Plugin Details

Severity: Medium

ID: 11815

File Name: imp_mime_viewer_html_xss.nasl

Version: 1.27

Type: remote

Published: 8/8/2003

Updated: 8/15/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:horde:imp

Vulnerability Publication Date: 7/28/2003

Reference Information

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990